5d724596617254a897bc00213b5f6845c64deb8d0c0e1e432371784ef9217b0d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-04_86449b341d8ca32155a32f8a5330d2a8_cryptolocker.exe
Size

34KB
MD5

86449b341d8ca32155a32f8a5330d2a8
SHA1

470b54f2cfed2032fa5fe5170935826842252bc1
SHA256

5d724596617254a897bc00213b5f6845c64deb8d0c0e1e432371784ef9217b0d
SHA512

0e2c89bd0a7708a4f9880bded028dff87a27609180b28a1941c4a403c23a58b3835cd171ac7bda65fac46f73b01a132116dda3563a8192e313118627fde9510b
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznStEkcsgqDxN:b/yC4GyNM01GuQMNXw2PSjSKkcJeN

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002327d-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	2024-06-04_86449b341d8ca32155a32f8a5330d2a8_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3244	retln.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 3244	3832	2024-06-04_86449b341d8ca32155a32f8a5330d2a8_cryptolocker.exe	81
PID 3832 wrote to memory of 3244	3832	2024-06-04_86449b341d8ca32155a32f8a5330d2a8_cryptolocker.exe	81
PID 3832 wrote to memory of 3244	3832	2024-06-04_86449b341d8ca32155a32f8a5330d2a8_cryptolocker.exe	81

C:\Users\Admin\AppData\Local\Temp\2024-06-04_86449b341d8ca32155a32f8a5330d2a8_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_86449b341d8ca32155a32f8a5330d2a8_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
34KB

MD5
d4c8b80d874a952c479e20904db75396

SHA1
11d7c3c604045784bffea03a812f3eda20f43b05

SHA256
d143916f4ec322b7d7470ecc9b0c6263ea569ade24588fb8c941754bc94bd2ed

SHA512
b9bb5a0c1b2e259346f280546b0efffd6b94da4aa192c3a85416bf11dada5e3df4b25161235fa0caad646ad4435e154ff186036dc36f8880d5e3475f38bde594

Download Submit
memory/3244-25-0x0000000002190000-0x0000000002196000-memory.dmp

Filesize
24KB

Download
memory/3832-0-0x0000000000740000-0x0000000000746000-memory.dmp

Filesize
24KB

Download
memory/3832-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3832-8-0x0000000000740000-0x0000000000746000-memory.dmp

Filesize
24KB

Download